Secure Coding: Principles and Practices
by Kenneth R. Van Wyk, Mark G. Graff
List Price:
Our Price: $15.17
You Save: $14.78 (49%)
Availability: Usually ships in 1-2 business days
Buy Used: from $3.00 (click here)
Category: Book
See more book details and other editions
Book Summary Information
Author: Kenneth R. Van Wyk, Mark G. GraffEdition: Paperback
Audio: English (Unknown); English (Original Language); English (Published)
Published: 2003-07
ISBN: 0596002424
Number of pages: 200
Publisher: O'Reilly Media
Book Reviews of Secure Coding: Principles and Practices
Book Review: "Secure Coding" Should Be THE BIBLE For IT Professionals
Summary: 5 Stars
There are some books that I believe should be mandatory reading for any person studying computer science, information technology auditing, or some other related fields, and that should also be on the must read lists of any technology professional. I do not often come across a book like this. Secure Coding: Principles and Practices (204 pages , O'Reilly Media, 2003, ISBN 0-596-00242-4) by Mark C. Graff and Kenneth R. van Wyk, however, meets my "must-read" criteria and then some.
Why do I feel this way? The first reason is that the credentials of the authors far exceed those of many other authors I have read. For starters, van Wyk has his engineering degree from Lehigh University, which in some quarters used to be regarded as a far superior engineering schools than Stanford and MIT. As one of the founders of the Computer Emergency Response Team (CERT) at Carnegie Mellon University, van Wyk also served as the Operations Chief of the Defense Information Systems Agency (DISA). Graff, at the time he wrote the book, was the Chief Cyber Security Officer at Lawrence Livermore National Lab and often serves as an Congressional expert witness on Internet security.
When people have credentials such as these, a reader might be afraid to pick up a book like this for fear of being intimidated by the writing of such highly qualified people. But that is the very first surprise of the book: it is written in such a plain-speak fashion with little or no unneeded fluff, that it is extremely easy to grasp their message and see how it would apply to an information technology professional's daily work routine. This is not something easily discounted, as there are many other books out there two to three more pages long that convey less than 50% of what is offered in this book.
The authors follow a very simple and well laid out path in presenting their story. They are up front in saying that if someone claims to be an expert or that they claim they can lock down an application 100%, you should run for the hills (well not exactly in those words). But this extreme is countered with a discussion of why people write bad code, a reason that is often lost on security "experts" and auditors: people are human and respond to the various stimuli in their environment. Nobody likes to write bad code they posit, but sometimes there is not often a choice.
As I read more of the book, I felt that these two individuals should be teaching IT audit classes and security audit classes. They are not afraid to point out that policy (and be extension business processes) should drive architecture and design decisions, not the other way around. They do not pull punches in saying that it can be dangerous to over-architect or over-design an application or system. They clearly lay out their arguments in terms that should be familiar to any IT auditor: controls, risk assessments, threats, and more. For IT developers and administrators, there are more than enough examples and discussions so that their points hit home. There are more than enough tips in the book that taught me new ways to approach my coding.
If you are serious about wanting to do the best job possible, regardless of what you do and want value in any resources you purchase. This book is it. In fact, you can download the first chapter in PDF format from O'Reilly (see link below) to get a feel for what I am talking about.
The Scorecard
Double Eagle on a Par 5
Summary of Secure Coding: Principles and Practices
Practically every day, we read about a new type of attack on computer systems and networks. Viruses, worms, denials of service, and password sniffers are attacking all types of systems -- from banks to major e-commerce sites to seemingly impregnable government and military computers --at an alarming rate.
Despite their myriad manifestations and different targets, nearly all attacks have one fundamental cause: the code used to run far too many systems today is not secure. Flaws in its design, implementation, testing, and operations allow attackers all-too-easy access.
Secure Coding, by Mark G. Graff and Ken vanWyk, looks at the problem of bad code in a new way. Packed with advice based on the authors' decades of experience in the computer security field, this concise and highly readable book explains why so much code today is filled with vulnerabilities, and tells readers what they must do to avoid writing code that can be exploited by attackers. Writing secure code isn't easy, and there are no quick fixes to bad code. To build code that repels attack, readers need to be vigilant through each stage of the entire code lifecycle:
- Architecture: during this stage, applying security principles such as "least privilege" will help limit even the impact of successful attempts to subvert software.
- Design: during this stage, designers must determine how programs will behave when confronted with fatally flawed input data. The book also offers advice about performing security retrofitting when you don't have the source code -- ways of protecting software from being exploited even if bugs can't be fixed.
- Implementation: during this stage, programmers must sanitize all program input (the character streams representing a programs' entire interface with its environment -- not just the command lines and environment variables that are the focus of most security analysis).
- Testing: during this stage, programs must be checked using both static code checkers and runtime testing methods -- for example, the fault injection systems now available to check for the presence of such flaws as buffer overflow.
- Operations: during this stage, patch updates must be installed in a timely fashion. In early 2003, sites that had diligently applied Microsoft SQL Server updates were spared the impact of the Slammer worm that did serious damage to thousands of systems.
Beyond the technical, Secure Coding sheds new light on the economic, psychological, and sheer practical reasons why security vulnerabilities are so ubiquitous today. It presents a new way of thinking about these vulnerabilities and ways that developers can compensate for the factors that have produced such unsecured software in the past. It issues a challenge to all those concerned about computer security to finally make a commitment to building code the right way.
Programming Books
Book Subjects
- Arts & Photography
- Biographies & Memoirs
- Business & Investing
- Children's Books
- Comics & Graphic Novels
- Computers & Internet
- Cooking, Food & Wine
- Entertainment
- Gay & Lesbian
- Health, Mind & Body
- History
- Home & Garden
- Horror
- Law
- Literature & Fiction
- Mystery & Thrillers
- Nonfiction
- Outdoors & Nature
- Parenting & Families
- Professional & Technical
- Reference
- Religion & Spirituality
- Romance
- Science
- Science Fiction & Fantasy
- Sports
- Teens
- Travel
Most talked about in Programming Books
C Programming Language (2nd Edition)by Brian W. Kernighan, Dennis M. Ritchie
Prentice Hall; Published: 1988-04-01; Paperback; Book
Best price: $34.99
Price in other shops:
The Windows 2000 Device Driver Book: A Guide for Programmers (2nd Edition)by Art Baker, Jerry Lozano
Prentice Hall; Published: 2000-11-30; Paperback; Book
Best price: $3.84
Price in other shops:
Verilog HDL (2nd Edition)by Samir Palnitkar
Prentice Hall; Published: 2003-03-03; Hardcover; Book
Price in other shops:
Just Java 2 (5th Edition)by Peter Van Der Linden
Pearson Education; Published: 2001-12-21; Paperback; Book
Best price: $24.98
Price in other shops:
STL Programming from the Ground Upby Herbert Schildt
Osborne/McGraw-Hill; Published: 1998-12-01; Paperback; Book
Best price: $17.95
Price in other shops:
Artificial Intelligence: A Modern Approach (2nd Edition)by Stuart Russell, Peter Norvig
Prentice Hall; Published: 2002-12-30; Hardcover; Book
Best price: $64.80
Price in other shops:
Building Enterprise Information Architectures: Reengineering Information Systemsby Melissa Cook, Hewlett-Packard Professional Books
Prentice Hall; Published: 1996-02-01; Paperback; Book
Best price: $8.49
Price in other shops:
RHCE Red Hat Certified Engineer Linux Study Guide (Exam RH302) (Certification Press)by Michael Jang
McGraw-Hill Osborne Media; Published: 2007-06-21; Paperback; Book
Best price: $10.65
Price in other shops:
Network Security: The Complete Referenceby Mark Rhodes-Ousley, Roberta Bragg, Keith Strassberg
McGraw-Hill Osborne Media; Published: 2003-11-17; Paperback; Book
Best price: $29.99
Price in other shops:
Hacking Linux Exposed, Second Editionby Brian Hatch, James Lee
McGraw-Hill Osborne Media; Published: 2002-12-04; Paperback; Book
Best price: $14.04
Price in other shops:
Similar Books and other products
The Web Application Hacker's Handbook: Finding and Exploiting Security Flawsby Dafydd Stuttard, Marcus Pinto
Wiley; Published: 2011-09-27; Paperback; Book
Best price: $26.42
Price in other shops:
Secure Programming with Static Analysisby Brian Chess, Jacob West
Addison-Wesley Professional; Published: 2007-07-09; Paperback; Book
Best price: $42.00
Price in other shops:
The CSSLP Prep Guide: Mastering the Certified Secure Software Lifecycle Professionalby Ronald L. Krutz, Alexander J. Fry
Wiley; Published: 2009-08-24; Paperback; Book
Best price: $40.47
Price in other shops:
The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilitiesby Mark Dowd, John McDonald, Justin Schuh
Addison-Wesley Professional; Published: 2006-11-30; Paperback; Book
Best price: $42.71
Price in other shops:
Building Secure Software: How to Avoid Security Problems the Right Wayby John Viega, Gary McGraw
Addison-Wesley Professional; Published: 2001-10-04; Hardcover; Book
Best price: $33.50
Price in other shops:
The Security Development Lifecycleby Michael Howard, Steve Lipner
Microsoft Press; Published: 2006-06-28; Paperback; Book
Best price: $17.12
Price in other shops:
Software Security: Building Security Inby Gary McGraw
Addison-Wesley Professional; Published: 2006-02-02; Paperback; Book
Best price: $39.14
Price in other shops:
24 Deadly Sins of Software Security: Programming Flaws and How to Fix Themby Michael Howard, David LeBlanc, John Viega
McGraw-Hill Osborne Media; Published: 2009-09-03; Paperback; Book
Best price: $26.82
Price in other shops:
Writing Secure Code, Second Editionby Michael Howard, David LeBlanc
MICROSOFT; Microsoft Press; Published: 2003-01-04; Paperback; Book
Best price: $14.99
Price in other shops:
Secure Coding in C and C++by Robert C. Seacord
Addison-Wesley Professional; Published: 2005-09-19; Paperback; Book
Best price: $33.89
Price in other shops: